CVE-2021-24217

CVE-2021-24217: Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain

Vendor Unknown
Product Facebook for WordPress
Weakness CWE-502 · Unsafe deserialization
Published April 12, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.

Key dates

02Disclosure timeline

April 12, 2021 CVE published
August 3, 2024 Record updated